Skip to content

Nov

v2.11-SaaS

05 Nov, 2024

The section below provides a brief description of the new functionality and enhancements in this release.


Amazon EKS

Ubuntu 22.04 Node AMI Family Support

Support has been added for Ubuntu 22.04 AMI family for node groups with this release.

Ubuntu 22.04

Pod Identity

The EKS Pod Identity feature simplifies granting AWS IAM permissions to Kubernetes applications running in an Amazon EKS cluster. Support for this feature for clusters managed through the Rafay platform is being added with this enhancement. Support has been added for:

  • Installation of the Amazon EKS Pod Identity Agent Add-on: This agent runs as a DaemonSet on the cluster. This can be installed both on Day 0 for new clusters and Day 2 for existing clusters
  • Creation of Pod Identity Associations: This allows specific Kubernetes service accounts to be associated with IAM roles.
  • Migrating existing IRSA to pod identity associations: This allows migrating existing IAM Roles for service accounts to Pod Identity associations.

Info

To learn more about how to use EKS Pod Identity and its associations with Rafay, please read the following blogs: Introducing EKS Pod Identity and EKS Pod Identity with Rafay.

This feature will be supported through all interfaces including UI, RCTL, Terraform, System Sync and Swagger APIs.

Add-on Deployment in Day 0

PIA Day 0

Add-on Deployment in Day 2

PIA Day 2

Pod Identity Associations

PIA

Migration

Migration

Note

  • Pod identity associations for EKS managed addons is not available in this release and will be included in a subsequent release
  • Permissions Required: To utilize this feature, the following IAM permissions are necessary for the role or user part of cloud credentials:

    "eks:CreatePodIdentityAssociation",
    "eks:DescribePodIdentityAssociation",
    "eks:DeletePodIdentityAssociation",
    "eks:UpdatePodIdentityAssociation",
    "eks:ListPodIdentityAssociations"
    

To migrate from IRSA to Pod Identity Association, you will need an additional permission for tags: iam:UntagRole along with above set of permissions

Info

Click here to learn more about Rafay's support for EKS Pod Identity.


Upstream Kubernetes for Bare Metal and VMs

The features in this section are for Rafay's Kubernetes Distribution (aka Rafay MKS).

Ubuntu 24.04 LTS

Support has been added for the Ubuntu 24.04 LTS operating system. This allows users to leverage Ubuntu 24.04-based nodes for their Rafay MKS clusters.

ubuntu24

Cordon/Uncordon/Drain Node Actions

New node actions have been introduced including Cordon, Uncordon, and Drain. These actions enable users to more efficiently manage nodes. These actions will be supported through UI, RCTL, and Swagger API interfaces. For governance and compliance purposes, for each of these actions, an immutable audit log entry will be added to the centralized audit logging system.

Node Actions

Info

For information on CLI commands, please refer here.

LDAP Support

It is now possible to run the Conjurer binary on a node with an LDAP user and install the minion agent.

Inter-Pod Communication Check

Enhanced MKS cluster provisioning to include an inter-pod communication check. After each node addition, a pod is deployed on the newly added node to verify seamless pod-to-pod communication between the new node and existing master nodes.

Terraform/OpenTofu Provider

In addition to using the existing interfaces (UI, API, CLI and GitOps SystemSync), users can now also use Terraform/OpenTofu providers to manage the lifecycle (i.e. configure, provision, upgrade, scale, delete) of Rafay MKS based upstream Kubernetes clusters.

Furthermore, support has also beeen added for data source for upstream Kubernetes cluster(rafay_mks_cluster) . This enhancement allows users to query and utilize specific cluster related information during the lifecycle management process, offering more flexibility and control in their automation workflows.

Users will be able to leverage this functionality with version 1.37 of Rafay's Terraform Provider Rafay's Terraform Provider.


Environment Manager

Drivers (aka Workflow Handlers)

It is possible today to execute custom workflows by packaging them as a container and/or through a set of HTTP calls. Support has been added to Drivers/Workflow Handlers to execute code written in Go or Python with this enhancement.

Drivers/Workflow Handlers can be leveraged at multiple places including as part of:

  • Resource templates through the Custom Provider option
  • Hooks attached to the resource/environment template configuration (e.g. Approval is need in ServiceNow before an environment provisioning is initiated)
  • Schedule policy (e.g. capture snapshot of K8s resources every 24 hrs)

The ability to execute custom code written in Go or Python will be supported through RCTL CLI, Terraform, System Sync and APIs interfaces initially. Support for UI interface will be added in a subsequent release. For more information on this feature, please refer here.

UI support for Schedules

Support for Schedules feature with RCTL CLI, System Sync and API interfaces was added with a previous release. This release adds support for UI interface.


GitOps

UI enhancements: Pipelines and Approvals

A number of UI improvements have been implemented for the Pipelines and Approvals pages. These are intended to make it easy to get visibility around recent pipeline runs & pending approvals.

Pipelines page:

  • Ability to search by pipeline name
  • Ability to sort by columns
  • Additional columns, "Created At" and "Last Run"

Pipeline

Approvals page:

  • Ability to search by pipeline name
  • Ability to filter by Status (pending or approved)

Approval

System to Git Sync

In scenarios where the Platform team has standardized on GitOps as the choice of interface for the SRE/end user teams (i.e. all actions are driven through spec files in the Git repo), there are challenges around educating SRE/end user teams on folder structure that needs to be used for various resources (e.g. clusters).

With this enhancement, the required folder structure (empty folders) is automatically created for all resources that have been selected as part of the System Sync pipeline on the first System to Git sync. This makes it extremely easy for Platform teams to onboard new teams (create a project, a system sync pipeline and hand-off to the SRE/end user teams).


Role Based Access

Break Glass Workflows

There are scenarios where users (e.g. developers) may require elevated privileges for a specific period of time, example includes troubleshooting an application running in a production cluster. This new feature allows Platform teams (Org admins) to:

  • Temporarily assign users to override groups with elevated privileges
  • Integrate with external systems of record such as ServiceNow or Jira to enable workflows where access can be granted upon approval
  • Centralized audit logs capture the temporary access assignment/delete action and Platform teams (Org Admins) have full visibility into users who have temporary access across the organization
  • Stream the audit logs to the organization's SIEM such as Splunk
  • Export the audit logs as a CSV

Administrators can configure and use this feature through UI, RCTL CLI, Terraform and APIs interfaces.

Shown below is an example of a break glass configuration.

Break Glass Access

Shown below is an example of the audit logs for break glass.

Break Glass Access

Info

To learn more about the concepts behind break glass, please read our recent blogs: An Introduction to Break Glass Workflows for Developer Access to Kubernetes Clusters and Enhancing Security and Compliance in Break Glass Workflows with Rafay. For more information about this feature, please refer here.


Cost Management

Google Cloud Platform (GCP)

Support has been added to configure Cost Profiles for GCP with this enhancement. This allows customers to leverage the chargeback and cluster/application rightsizing capabilities available today for GKE clusters as well.

GCP

Info

For more information on this feature, please refer here.


Audit Logs

Namespace Operations

Audit logs are being added for namespace creation/delete operations that were handled implicitly by the controller. An example for this is an implicit namespace creation as part of an add-on deployment during the blueprint sync process.


User Experience in Rafay Console

Namespace Admin users

A number of improvements have been implemented to improve the user UX for namespace admin roles. These include filtering objects in the UI and the ability to download kubeconfig for a specific cluster (versus a consolidated kubeconfig).

Page Size Selection

With this enhancement, any changes that the user makes to the 'rows per page' selection will be persisted across pages for that specific browser session.

Node labels

With this enhancement, node labels are organized into sections and are searchable.

Labels


Bug Fixes

Bug ID Description
RC-30381 Backup/restore jobs are not cleaned up when the cluster is deleted
RC-37499 Upstream k8s: Unable to add worker nodes to existing clusters in certain scenarios
RC-36543 Blueprint Sync operation is not successful when updating the blueprint version to remove an undesired add-on
RC-28677 UI: 404 error when pod metrics are unavailable
RC-33389 Modified time is updated and audit log entries are created on a workload publish action even when there are no changes
RC-32540 UI: Validate option for cloud credentials for backup/restore is not disabled
RC-37499 Upstream k8s: Inability to add a worker node to an existing cluster in certain scenarios
RC-38160 UI: Arrow mark does not rotate on sorting columns on the GitOps pipeline page
RC-37716 UI: Node details field text is not wrapped appropriately